A server offers you many interesting possibilities. However, when you purchase a server with root access, you are also responsible for its security. This responsibility includes all actions performed by your server. For this reason it is very important that you secure your server as early as possible and increase the security level against cyber attacks in order to offer potential attackers as little attack surface as possible. 

This series of articles explains some important security recommendations and security measures that can help increase the security level of your Windows server.

This article provides general security recommendations and tips for configuring and operating your Windows server securely.

Install Security Patches and Updates Regularly and in Time

Usually, known vulnerabilities are closed with the help of published updates within a very short time. However, this only works if you regularly inform yourself about security patches and updates for the operating system and the installed programs and install them in time. Also make sure that security patches and updates for the plugins you use are installed promptly.

Almost all operating systems offer the option to download and install important security updates automatically in the background. If you are using Microsoft Windows Server 2016, you can configure the automatic installation of updates in the Windows Update settings. 

Note

If necessary, you can test the security patches and updates for your applications and plug-ins prior to the installation in order to check the possible effects on your specific environment before installing them promptly on the server. Please note, that you need a second server for such a test.

Always Use a Strong Password

Using weak passwords makes it easier for potential attackers to gain access to your server. If such an attack succeeds, the attacker could, for example, use your server for malicious activities, take advantage of your server's resources or possibly take control the server and lock you out. 

You should therefore always use secure and complex passwords. Change the passwords regularly. The following criteria will help you to create a strong and secure password:

  • Use a separate password for each server and for each database running on the server.

  • Use a password that is not available in dictionaries.

  • Always use a password that is significantly different from previous passwords.

  • Do not use any personal data from your personal environment, such as birthdays, names, etc.

  • Do not use a password that contains the user name or company name.

  • Do not give your password to any third party.

  • Combine different types of characters, such as letters, numbers, and special characters.

  • Do not reuse passwords for different services.


A secure password contains:

  • at least 8 characters

  • upper and lower case letters: a-z, A-Z 

  • digits: 0-9

  • special characters

Limit Access to the Server

The access to the server should only be allowed to users who need to work with it.

Develop an Appropriate Backup Strategy

The loss of data can cause profound and costly damage. For this reason, you should develop an appropriate backup strategy as early as possible. The development of a backup strategy is an issue, which is technically very complex, because many factors need to be considered. Some important factors are for example:

  • Determination of the risk situation: The risk situation depends on the purpose of the server and the dependency on the database.

  • Classification of data: What type of data is this? Is it necessary to create backups of system-relevant data or personal data?

  • Availability of data: Which applications depend on the data and in what form? Do the applications also work without the relevant data?


In addition, you should consider and answer the following questions when developing your backup strategy:

  • Which data loss is acceptable?

  • How long would it take to reconstruct the data?

  • How much data do you handle at the moment? Will the amount increase in the future? 

  • How must the data be backed up?

  • Are there any deletion and storage periods?

  • Is the data confidential? Is special access protection required? Are there any legal requirements?

  • When can the backup be created without negative effects on other processes?

  • How long do you need to keep the backups?


Another important point to consider when developing your backup strategy is the backup type. Basically we can differentiate between the following types of backup:


Full backup

A full backup is a backup that contains all data selected for backup. 


Differential Backup

A differential backup contains all files that have changed or have been added since the last full backup. The changes are always made in relation to the full backup. Differential backups increase day by day until you perform a full backup again. However, they require less disk space than a full backup and can be performed faster.

To recover data from a differential backup, you must also have access to the last full backup. The individual differential backups can be handled independently of each other. 


Incremental Backup

Incremental backups are very space-saving and can be performed quickly. With an incremental backup, only the data that has been created or modified since the last backup is secured. In this context, it makes no difference, whether it is a full backup or an incremental backup.As the backups are interdependent, you must also have access to other backups in the backup chain to restore an incremental backup. If you delete one of the previous incremental backups or a full backup, you cannot restore the entire group.

In addition to the development of an appropriate backup strategy and the creation of backups on a regular basis, you should also make sure that the recovery of the backups is tested regularly. Regular testing can ensure the integrity of your backed up data and help you gain valuable experience in restoring your data.

Harden Your Applications

Depending on the application installed, there are different threat risks and threats. To protect yourself against these, you should harden your applications. Some tips are listed below:

  • For information on how to safely install and deploy the application, see the manufacturer's documentation and website.

  • Follow the best practices to install the respective application. 

  • Search for known vulnerabilities in your application. Common Vulnerabilities and Exposures (CVE®), for example, is a list of known vulnerabilities. Further information on CVE® can be found here https://cve.mitre.org/

  • Check your server for vulnerabilities with a program such as Nmap.

  • Perform a penetration test to identify further vulnerabilities.

Only Install Required Applications

Only install applications that you really need. The more applications you install on the server, the greater is the risk of vulnerabilities.

Note

If possible, install applications only from official sources. Applications from unofficial sources may contain malware and/or viruses.

Turn off or Uninstall Services You Don't Need

Depending on the operating system used and the type of installation, various additional programs and services are installed. Often many of these additional programs and services are not needed. 

By turning off these unnecessary add-ons and services, you can reduce security risks. Therefore, identify the services and tasks that are not necessary to manage your network, and then disable the associated system policy rules.

Only Open the Ports You Really Need

Open ports rarely pose a security risk. If you use a small number of third-party applications, the number of ports required is manageable. These open ports only become a risk if the responding applications have vulnerabilities and attackers take advantage of this circumstance. This risk increases with the number of applications you install on the server.

Monitor Your Server

Monitoring is an important tool to increase the security of your server. The detection of a server failure or the failure of individual components or applications in time is only possible, if you monitor the server. This also applies to certain types of cyber attacks. If your server is attacked, a fast reaction is essential to stop the attack and minimize the damage caused.

In addition, we recommend that you regularly check the security log entries of your server.

You can find a list of the events to be monitored here:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor?redirectedfrom=MSDN

Scan Your Server Regularly for Malware

Malware, viruses and ransomware can cause considerable damage. Make sure you have up-to-date anti-virus and anti-spyware software installed on your server and update your anti-virus and anti-malware signatures regularly. Also make sure that the virus scanner is permanently active and monitors data traffic. In addition, regularly perform a full scan of the hard drives or SSDs.

More articles from this series

The second article of this series can be found here:

Important Security Information for Your Windows Server (Part 2 of 2)